No sessions in the initial port. Sessions, basically work via cookies or temp files and with the way WWWThreads is setup it actually is basically a session once you login. Every script knows who you are, so we can track and display any type of info for a particular user.

I really DISLIKE the feature of w3t saving my username, password, language, and some other variable in a cookie. I'm not really against cookies but there are some browsers that do throw fits when another part of the web site attempts to set a cookie with a different directory (w3t specifies it's own directory so I can't just set mine to path=/). All I have been able to tell these users is to upgrade to the latest browser version. Session support would fix this. Sessions are increbibly easy to support Scream, they're functionality is pretty much the same as your cookies all you would need is 1 function call at the top of your page and replacing your setcookie() call with session_register(). Also people with cookies disabled and people with old computers could access w3t because it would use append the session ID to the end of the URL instead of via a cookie.

For those who are interested, I'll release a hack for session support as soon as I see the PHP version of w3t.

Finally I'll be making hacks by the hundreds for w3t because it's finally in PHP a language I like unlike Perl (which should be banned by the U.N. from being used or something like that) <img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" />

The one thing I haven't figured out about sessions, and one of the main reasons I haven't used it yet. Alot of people don't like to have to log in every time they come to visit the forums. From what I have read so far, essions are only for that current browser session. So, users would have to login each time they visited, correct? Also, I haven't come across where you specify to store the session variables, cookies, temp files, etc. Any help would be appreciated. If there really is a benefit to using sessions, then I would use them.

As a followup, I know some of the session info can be set in the php.ini file. Since alot of users will be on a hosted machine do you know if there is a way to set this in a required file, like the main.inc.php that I will use for all functions?

Blah, scratch that. While I do have sessions working, they don't cross browser sessions. Which means users will have to login upon each visit. Unless we store a username and password cookie, which bypasses the whole need for sessions in the first place:rolleyes:

I don't really think there is a speed benefit. Your cookies are automatically sent with every request to the site, so there really isn't much going on there.

The only reason I can think of to use sessions would be so you don't have to use cookies. So, if we are going to use cookies at all then there really isn't a need for sessions.

You can do persistant connections with PHP, no need for sessions for this. Don't have the variable put into the config yet, but it will be.

There would be quite a bit of file I/O on heavy traffic sites if sessions are used. Right now I'm just going to port with the cookies until I gain more knowledge in this area and can see a real benefit.

oh that's right.. duh wtf was I thinking (about cookies being sent in the headers..)

Ok here's what I say you do.. People who don't use cookies are screwed basically right? So when the user logs in give them the option to pick cookies or sessions.. sessions are temporary for that browser session and cookies last longer..

That way people who refuse to turn cookies on can still browse the forum.. (they don't have to login for every post or what not)

or is it possible to tell if user has cookies turned off? if so just check and if they do.. use a session to track them once they login or something.. that way cookies are used when they can be, but if not then seesions are used instead..?

I see no need to move everyone to sessions, just those who can't/won't use cookies.

It's a simple matter to tell if a user is accepting cookies--attempt to set a test cookie, refresh to another page that checks if that cookie was actually set. If it was, continue as normal, if not, switch over to sessions.

That gives the cookie-less people an almost identical experience to the rest of us. I suppose you could have an option somewhere of "cookies or sessions", but I don't think that's really necessary--if someone doesn't want to use cookies, they can just turn them off themselves.

I personally don't understand people who don't use cookies. Everyone _can_ use cookies...it's been in since Netscape 1.1. Unless they're using Lynx or something similar (which still supports cookies, I think)...Regardless...cookies are so entirely harmless, that I have no pity for anyone who doesn't use them. It's a wonderful way to use functions like w3t and it doesn't store anything that wasn't available to the site in the first place.Since sessions are only once per browser session, they really do the user almost no good! The only thing they do for the user is...well...nothing! You still have to login every time you come to the site, and the best way to handle the user being logged in or not is with cookies. Unless someone can come up with any good reason not to use cookies, I see no reason to spend even a minute on sessions...

Outside apps that you run on your computer -can- look at cookies and possibly find information..

Also.. A while back I wrote a .js file that could be included in a post on this forum.. It would pull your user name and password, then create an image tag pointing to a cgi script on my server (with a query string that contained the user name and password) From there it could store everybody's user name and password into a database (I just wanted to see if it worked.. it did.. so I reported it as a bug and deleted the scripts)

Althought cookies aren't a -bad- thing.. some people are silly and think they are.... For those people it would be nice to have sessions.. Your right that sessions work in just one instance of your browser, but that isn't a bad thing.. you have to login every time you close the browser, but atleast you can post messages on the forum if anon users is turned off.. with out cookies you can't I don't think (or if you can, you have to login every time!!)...Also people could see you in the who's online list etc.. with out sessions or cookies you are basically an anonymous user.. which means you might not have as many options as a use who is logged in........

Oh and like a33 says above.. Cookies are used a lot for tracking users.. I know this for a fact because the company I -use- to work for (coremetrics.com) tracks users with a cookie.

I think there is a definite privacy risk involved with cookie use. I'm not paranoid or anything, but I think most of us know by now that advertising companies profile us, greatly through the use of cookies.

I don't have any problem with "regular" cookies, ones that are actually meant to make things easier (like the ones for W3T). It's the 3rd party cookies that I try and avoid like the plague. If you've ever set your browser to prompt you for cookies before accepting, you'll know what I'm talking about. You go somehwere like msn.com and see cookies being sent from all these different ad company domains. Hmmmm... I wonder what they're doing? I'm sure there's a "good" reason why those cookies need to be sent to me, right? I don't think so...

If anyone wants to see a browser with outstanding cookie filtering options, check out Opera 4.0. I swear by it now and wouldn't consider switching back to anything else. You can set it to block all cookies, block just certain domain cookies, accept only certain domain cookies, block 3rd party cookies, etc. It's just perfect.

I have it prompt me for all domains that I haven't already setup a filter for. When new domains come in, I set them to either be accepted or blocked from that point on. The first week or so of doing this, I got prompted all the time, but now 90% of the sites I visit regularly have been recorded one way or another, so I rarely get asked about cookies now. And of course, every ad company's domain I've ever come across has been blocked--if you do just that, you'd be amazed at the amount of cookies that are wiped out.

Even without the cookie filtering, Opera's a great little browser--speedy too.

Ok, what I am doing is making this an option on a per site basis. If you have access to your own php.ini file and you choose to use sessions, you could set it so the session id is stored in a cookie and is persistant so they won't have to log in each time. If you don't have access to your own php.ini file and you don't want your users to have to login each time then you could use cookies for the default tracking method.

As far as the outside apps, that would be what I would call a "bad" app <img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" /> ..one that searches your HD for cookies? That program wouldn't get used by very many people, and if it did, I would call it a virus. That's not an insecurity of cookies...it's an issue with virus type software.As far as the JS, I saw that, and it's interesting, and as you mentioned, a bug that w3t even allowed it. Again...not a cookie problem.

Oooh...almost forgot...as far as tracking users...you can only track them on your own site!! Not very useful, except for improving the site you go to! <img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" /> BTW...it's very easy to enable cookies in people's browsers. <img border="0" title="" alt="[Wink]" src="images/icons/wink.gif" />

How can it be a privacy risk? They can't get any information from you that you didn't give them/they are able to read anyway! They can track you only in their own site...they can't monitor your overall web activity. The best they can get if you don't put any info in is your IP, browser, etc....not like they're invading your privacy!

Maybe I'm just weird, but to me, the idea of these companies tracking my online habits and putting it all together in one huge database, either connected to my IP address, or in some cases my actual name, etc , is more than a little disturbing.

I'll continue to monitor all incoming cookies and decide for myself which ones are necessary. If you're not bothered by this, then by all means, continue treating cookies as harmless little things.

True, it's a bad app, but what makes you think it doesn't happen? Almost all Microsoft products grab information about you from the registry and send it to microsoft (like when you register an app)....... does that stop people from using the software? nope!

Most people don't even know about it... They could do that with cookies also and you would never know. (not saying anybody does, but it is possible)

Also, yes you CAN track cookies over multiple sites.. ad companies do it .. all you do is set a global cookie......... coremetrics puts a cookie on your machine and tracks -everything- you do on ANY site that runs their product.. (when you visit the site it reports to their servers w/ your cookie id and what you are doing) in other words if you fill out a form with your name and address, it gets sent to coremetrics and associated with your cookie.. bet ya didn't know that? hehe... (this only happens on sites that run coremetrics product though)

I'm not saying that is bad .. they don't use the information in a bad way.. but it IS possible...... some banner add companies sell your 'surfing' habbites (they know which of their affilite sites you have visted, and where you went on those sites etc..)

again.. nothing bad really, but it's still possible to do, there is no denying it..

as for the js file thing.. yeah.. it was a bug on here, but it still only effects people who use cookies and if I never said anything nobody would have ever found that bug I don't think.. people who turn off cookies -can- be just protecting them selves from bugs like that.. they do exist, and they are a threat... shutting off cookies DOES make things a little safer... I know it's not the cookies fault, it's a mis-use of cookies by the person who creates the product, but none the less it still happens, and people don't find out about it until it's too late...

Ah, I see...so they have my ID. Ummm...yeah. My "ID". Hope they don't, ya know, look up that "ID", in their ID database! They might find that I use IE5.5! <img border="0" title="" alt="[Wink]" src="images/icons/wink.gif" /> I do know that they can connect that ID to my info...IF I ever gave them my info! Otherwise, it means nothing to them, except the path of a "human" on the web! <img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" /> I guess it is a matter of personal preference, but that seems kinda paranoid to me...I dunno. I guess the option is nice. But...uh oh...that means that in the case of the "global cookie", PHP sessions won't help!! DOH!So basically, my point is that w3t has a useful and valid use for cookies, which everyone should use. I have said it, and thus it has been said. <img border="0" title="" alt="[Wink]" src="images/icons/wink.gif" /> On the other hand, thanks for putting in the option, Scream.

Let's put it this way.. You visit a site to buy something.. The site grabs your cookie and then reports back to a server that you just visited their site. Then you decide to buy a product so you find the stuff you want and add them to your cart.. Each time you add an item your cart the website tells the server exactly what items you are adding to your cart. THEN you fill out your address and cc info.. That gets sent to the server also (along with your cookie id!!).. now that site has all of your info.. so where does this cookie id come in? well it's a global cookie which means you are tracked across multiple sites, which all run this "tracking" software...

That means I can go to my "user tracking" database and do a lookup on "Lone\/\/olf" and I can see that you visit this sex site and got a porno, then you went to walmart.com and got some hand cuffs, then you went to some other place and got a new bike.... and then I can go and sell all of your contact information to another company who wants to send you ads for porno since they KNOW you like to buy porno............. Not just email ads, but phone, and snail mail ad's also. this can be done with out using cookies, but cookies is what ties it all together.. it's what the site uses to know who you are on each page you visit, and it is used to track you on other websites.. etc.. and you never know all of this is happening either.. not unless you always read the privacy pages on every website you shop at...

and yes.. w3t's use of cookies IS very valid.. I'm just saying that people who disable cookies probably have a pretty good reason, and I wouldn't say they are 100% wrong, and I think it would be good to take these people into account because they -are- out there and they do deserve to use this forum if they want, with out having to enable cookies.. Tracking users who have cookies disabled by using a session is a good enough solution.. it will let them use the forum, but they will have to login every day, or every time they close the browser.. that beats not being able to use the forum at all.

scream, if you download ewaddle from <A HREF="http://www.ewaddle.com/" target="_new">http://www.ewaddle.com/</A> you'll get a clever way to get the session capabilities without relying on PH4 sessions. I think PHP3 will continue to be the most used coding script for a while before being replaced by PHP4. Reasons are multiple.

Only problem with this, is that cookies are not needed for this scenario! If I buy from a site that totally doesn't use cookies, they still get my info, they can still send me mail! If I go to Wal-Mart (in real life, not on the web), I still get magazines, etc. from them! Do you really think that you aren't tracked, just because you disable the cookie? Do you seriously think that Wal-Mart, etc don't sell your data to ad companies and data warehouses? And if you really didn't want to get the catalog of porn, then you probably shouldn't have told the porn store where to ship the merchandise!

Please realize that I'm not arguing the point of having an alternative in w3t...alternatives are always nice. I just like playing Devil's advocate <img border="0" title="" alt="[Wink]" src="images/icons/wink.gif" />

Right and wrong.. I already said you didn't have to have cookies.. =) Cookies just ties things together.. it helps.. it makes your information a lot more valueable.. Your shopping habbits on a single site might be worth money, but your shopping habbits across a LOT of sites.. now that is some serious information...

What I am saying is that an outside company that provides 'metrics' software to other websites tracks you.. they can track you across multiple sites, and THEY can sell your info..

I'm not saying that you go shop at walmart.com and then walmart sells your information.. I'm saying that you go shop at walmart, then 10 other sites.. and the outside company who has their product on all of these sites tracks you..-they- know a lot more about you than any single web site... They know that you like to buy candy from walmart.com, and cars from cars.com and tools from home depot etc etc.. That might not bother -you- personally (I know it doesn't bother me) but it -does- bother some people.. I mean.. that tracking company probably knows more about your shopping habbits than you do...

And none of that is made up either.. heh.. the company I use to work for does it.. That's how I know.. They are legit, they don't sell your info, but if they really wanted too......... they could.. period.. if a hacker gets their database they will know A LOT about you..

once again.. I am -pro- cookies, but I do understand why people turn them off.... Using them CAN be a security risk, although it's probably not likely for the most part...

If all of the web apps on the internet used cookies like w3t does (or did? haven't looked lately) I could go around getting peoples info left and right..

It might not be the cookies fault that the information is there, but it IS the cookies fault that I am able to GET that information!!!!!

If all of the web apps on the internet used cookies like w3t does (or did? haven't looked lately) I could go around getting peoples info left and right..

It might not be the cookies fault that the information is there, but it IS the cookies fault that I am able to GET that information!!!!!

[/quote]

Even if all sites used cookies the way w3t did before, only the sites that allowed you to post would let you get people's info. Many sites _do_ use cookies this way (login info), but don't let you steal them, since you can't post JS on the pages the user goes to.And it's not the cookie's fault you're able to get that info in the insecure situations...it's the website programmer's fault! <img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" />

Sorry I just re-read what... *scratches head* I don't know how the hell I messed that up lol... I guess proof reading is a good thing.

Here's my points:

1. JavaScript isn't the only method to grab cookies..JavaScript is just the 1 method that I found for THIS forum.. Other forums or products will have their problems also I'm sure...

2. Cookies can be insecure..Just because it's the programmers fault, doesn't make it any less secure....... Does it? Nope it's not the cookies fault that your un-encrypted password is sitting there in a cookie.... It's the progammer who put it there.. But forget about blame.. it's still there right? And there are still potential ways for somebody to get to that information right???! That is a good enough reason for -some- (not all) people to turn off cookies.. If you want to be as secure as possible (a complete security freak) then turning off cookies is a must...

No matter how you look at it, cookies CAN store sensative data that other people CAN get into if they know what they are doing AND the end user doesn't have much to do about it since it is all done behind the scense (little or no user interaction)..... That's a security risk.. Yeah it's a low one for the most part, but it's still a security risk.. So some people disable their cookies for that reason. Other people disable them because they hate being tracked by banner ad companies.

It's programmers who think "oh.. cookies.. those are secure.. no need to worry about checking them for security" that leave big friggen secuirty gaps in their programs..

Cookies aren't secure by default.. You have to write your app to make them that way.. You can't just dismiss them as nothing..

Any time you are taking user information and store it some where you should look at the security of it all.. Databases can be just as insecure if your app isn't written right..

For example.. you might not strip special chars off a search form and a user could figure out a way to write code that does a select statement on the user_info table and prints it out to the screen... who knows?!?!?!

</font><blockquote><font size="1" face="">quote:</font><hr /><font size="" face="">Just for clarification, sessions do not reside in the server's memory. They are written to a temp directory on the server. When needed they are accessed or updated</font><hr /></blockquote><font size="" face="">Even when the user IS online ?

Sessions are temporary.. They go away when you close your browser, or when they expire.. They are supposed to be used to pass information from page to page during your current session.. I would think that they are stored in a binary db file on the server, not a text file..(for speed) but I'm probably wrong about that... (it probably depends on what language you are using.. ASP probably handles sessions different than PHP) .. In this case (passing login info) I would say sessions should only be used IF the user does not want to use cookies.. I would hate to have 200 users all having info passed using sessions.. that would slow things way down.

Well, if you are on a server that loses files then that would be bad;). But then sessions would be the last of your problems:).

Sessions work something like cookies, yes. All user profile info will still be stored in the database, sessions just track you while you visit the site.

How it works right now is you log in, and I set a cookie that has your username, encrypted password and language preference on your machine. Each time you request another page I grab this info from your cookie.

If you use sessions, in the php version this info is stored in a temporary file on the server. So instead of retreiving the info from your cookie, we grab it from the temp file.

There are 2 ways that sessions can work. One, you pass the session id (which points to the temporary file) to each script. Two, you set a cookie with the session id. So, we grab the session id from your cookie, and then grab the other info from the session file.

Hopefully that makes some sense. You will be able to choose either method (all cookies, sessions with no cookies, or sessions with cookies) for your users.